CyberInsecure.com

Archive for the ‘Mobile’ Category

According to ZDNet, the feature which lets users set a four-digit pincode to limit access to the device, can be easily bypassed with a few finger taps on the iPhone to give an intruder access to sensitive information.

Here are the steps to exploit this vulnerability (requires physical access to a passcode-protected device) to access the phone, e-mail and SMS messages, Google Maps and the full Safari browser:

Set up a passcode lock (Settings > General > Passcode Lock and enter a 4-digit passcode. iPhone then requires you to enter the passcode to unlock it).

Set up contacts in address book with e-mail address, phone numbers and Web sites.

Turn off/on iPhone and move slider to get to “Enter Passcode” screen.

Tap “Emergency Call” button (buttom left).

Double tap home button.

This pulls up all contacts in the Favorites list.

Tap on the blue arrow next to contact’s name to get full access to e-mail, SMS, Safari, etc.

This particular vulnerability was fixed by Apple for iPhone v1.1.3 and iPod touch v1.1.3 back in January this year, but the issue affects iPhone and iPod Touch 2.0, which means the January fix never made it into the newer versions of the software.

As a workaround, users should remove all Favorites until Apple ships a proper fix. Another method would be setting your home button “Settings->General->Home Button” to “Home”.

An independent security research firm has announced several new mobile Java(J2ME) security vulnerabilities. Two of the vulnerabilities affect the Java virtual machine(JVM) on mobile phones and the other 14 are specific to Nokia Series 40 phones. Series 40 mobiles are not Symbian smartphones and only run J2ME MIDlets.

The security research company has produced a 170+ page report on the vulnerabilities and a number of proof of concept(PoC) exploits. Usually when a researcher develops PoC code or malicious samples, they provide them directly to the security research community. In this case, the researchers are asking for €20,000(about $30,000) for early access to the research and malware. Generally after the release of vulnerability information, attackers will attempt to write exploits.

The reported vulnerabilities and exploits in the JVM could allow the running of untrusted Java MIDlets. After using those vulnerabilities, relatively recent phones running S40, 3rd edition are open to malicious MIDlets that exploit the others.

According to the researchers the vulnerabilities allow:

gaining additional privileges for a malicious MIDlet, even manufacturer or mobile carrier level

running a malicious MIDlet when the phone is first turned on

accessing files

sending SMS/MMS

making phone calls

reading your contacts

accessing the SIM card

eavesdropping using the camera and microphone

Java phones used to be affected by malware such as J2ME/Redbrowser or J2ME/Wesber which just cause premium rate charges. This is the first time that such phones have been vulnerable to more malicious malware.

According to Pocketgamer, it seems hackers have cracked the new N-Gage application, allowing it to work on a host of other Series 60 devices. Few online forums offer users a download link to an application saying it works on Series 60 v3 handsets including the E65, 5700 XpressMusc, the N73, N71, E51, 6110 and 6210c.

Some forums also offer a five-step process to get the application installed on these handsets, as well as installing cracked versions of N-Gage games. The forums threads has had tens of thousands of views and are claiming to offer cracked versions of N-Gage games, including System Rush Evolution, Mile High Pinball, Space Impact: Kappa Base, Asphalt 3: Street Rules, and Hooked On: Creatures of the Deep.

Nokia has recently cited its strict DRM as one of the reasons why gamers would have to re-buy their N-Gage games if they switched handsets. During its First Access beta trial, Nokia looked benignly on users trying to get the N-Gage app working on non-supported phones, claiming it showed the pent-up demand for N-Gage.

The fact that online forums are offering cracked versions of the games (all one might need to find those are 10 seconds of Google search) might be considered as a problem for Nokia. The company already aware of this issue and supposed to provide more information and details in the near future.

According to German Crime Investigating Authorities (LKA), a malicious program running on mobile phones can make unauthorized calls. These calls are connected to specific SMS number which is used to top-up the amount of virtual money for one of the online games. A scheme to increase in-game cash via SMS messages is frequently used by online game vendors. The malware will use your phone and accordingly your money to add virtual cash to attackers accounts.

In the past, malware writers simply programmed malware to call a premium high cost phone number from a desktop or a mobile device. Of course, with this old method it is easier to trace the destination of funds because for such calls real money is transferred from a phone company to the owner of the premium number. It relatively easy to track the money this way.

This new and indirect way of laundering money through an online game makes it significantly more difficult to track the destination - several in-game transfers can be made before the money is taken out of the game through real-money trading, which is a prohibited offense in most online games (some games allow that, for example Second Life).

Users should not use programs for mobile phones that came from unverified sources like game forums, internet newsgroups, emails, P2P networks, blogs, etc. and also be vigilant and submit suspicious programs for anti-virus vendors analysis.

A renegade group of developers called “iPhone Dev Team” claimed they cracked Apple’s not-yet available iPhone 2.0 software.

The iPhone Dev Team claims to have cracked the software, meaning yet more pressure on Apple Inc. in the cat and mouse game between software developers and the owners of a million unlocked iPhones and the company and its network partners. They also say they have decrypted and have jailbroken the new iPhone software, and have published a series of screenshots of third-party applications running on the device. The jailbreak currently works only with hacked activation, meaning it won’t work with AT&T iPhones yet.

Apple executives have characterized the buoyant global market in unlocked iPhones as a positive thing, suggesting strong pent-up demand for the product, which is as yet available in just four markets: U.S., U.K., Germany and France.